Specification Languages for Stutter-Invariant Regular Properties

Specification Languages for Stutter-Invariant Regular Properties

Christian Dax¹, Felix Klaedtke¹, and Stefan Leue²

1ETH Zurich, Switzerland

2 University of Konstanz, Germany

Abstract. We present specification languages that naturally capture exactly the regular and ω-regular properties that are stutter invariant.

Our specification languages are variants of the classical regular expres- sions and of the core of PSL, a temporal logic, which is widely used in industry and which extends the classical linear-time temporal logic LTL by semi-extended regular expressions.

1 Introduction

Stutter-invariant specifications do not distinguish between system behaviors that differ from each other only by the number of consecutive repetitions of the ob- served system states. Stutter invariance is crucial for refining specifications and for modular reasoning [13]. Apart from these conceptual reasons for restricting oneself to stutter-invariant specifications, there is also a more practical moti- vation: stuttering invariance is an essential requirement for using partial-order reduction techniques (see, e.g., [2, 11, 15, 16, 20]) in finite-state model checking.

Unfortunately, checking whether an LTL formula or an automaton describes a stutter-invariant property is PSPACE-complete [18]. To leverage partial-order reduction techniques in finite-state model checking even when it is unknown whether the given property is stutter-invariant, Holzmann and Kupferman [12]

suggested to use a stutter-invariant overapproximation of the given property.

However, if the given property is not stutter-invariant, we might obtain coun- terexamples that are false positives. Moreover, the overapproximation of the property blows up the specification and decelerates the model-checking process.

Another approach for avoiding the expensive check whether a given property is stutter-invariant, is to use specification languages that only allow one to specify stutter-invariant properties. For instance, LTL without the next operator X, LTL_−X for short, captures exactly the stutter-invariant star-free properties [10, 17]. An advantage of such a syntactic characterization is that it yields a sufficient and easily checkable condition whether partial-order reduction techniques are applicable. However, LTL_−Xis limited in its expressive power.

Independently, Etessami [9] and Rabinovich [19] gave similar syntactic char- acterizations of the stutter-invariantω-regular properties. However, these char- acterizations are not satisfactory from a practical point of view. Both extend

Partly supported by the Swiss National Science Foundation.

Konstanzer Online-Publikations-System (KOPS) URN: http://nbn-resolving.de/urn:nbn:de:bsz:352-opus-105344

URL: http://kops.ub.uni-konstanz.de/volltexte/2010/10534/

fragments of LTL_−X by allowing one to existentially quantify over propositions.

To preserve stutter invariance the quantification is semantically restricted. Due to this restriction, the meaning of quantifying over propositions becomes unin- tuitive and expressing properties in the proposed temporal logics becomes diffi- cult. Note that even the extension of LTL with the standard quantification over propositions is considered as difficult to use in practice [21]. Another practical drawback of the temporal logic in [19] is that the finite-state model-checking problem has a non-elementary worst-case complexity. The finite-state model- checking problem with the temporal logic in [9] remains in PSPACE, as for LTL.

This upper bound on the complexity of the model-checking problem is achieved by additionally restricting syntactically the use of the non-standard quantifica- tion over propositions. The downside of this restriction is that the logic is not syntactically closed under negation anymore, which can make it more difficult or even impossible to express properties naturally and concisely in it. Expressing the complement of a property might lead to an exponential blow-up.

In this paper, we give another syntactic characterization in terms of a temporal logic of theω-regular properties that are stutter invariant. Our characterization overcomes the limitations of the temporal logics from [9] and [19]. Namely, it is syntactically closed under negation, it is easy to use, and the finite-state model- checking problem with it is solvable in practice. Furthermore, we also present a syntactic characterization of the stutter-invariant regular properties. Our char- acterizations are given as variants of the classical regular expressions and the linear-time core of the industrial-strength temporal logic PSL [1], which extends LTL with semi-extended regular expressions (SEREs). We name our variants siSEREs and siPSL, respectively. Similar to PSL, siPSL extends LTL_−X with siSEREs. For siSEREs, the use of the concatenation operator and the Kleene star is syntactically restricted. Moreover, siSEREs make use of a novel iteration operator, which is a variant of the Kleene star.

2 Preliminaries

Words. For an alphabetΣ, we denote the set of finite and infinite words by Σ^∗ and Σ^ω, respectively. Furthermore, we write Σ^∞ :=Σ^∗∪Σ^ω and Σ⁺ :=

Σ^∗\{ε}, whereεdenotes the empty word. The concatenation of words is written as juxtaposition. Theconcatenation of the languagesK ⊆Σ^∗ andL ⊆Σ^∞ is K;L := {uv : u ∈ K andv ∈ L}, and the fusion of K and L is K:L :=

{ubv ∈Σ^∗ : b∈Σ, ub∈K, andbv∈L}. Furthermore, forL⊆Σ^∗, we define L^∗:=

n≥0Lⁿ andL⁺:=

n≥1LⁿwithL⁰:={ε}andLⁱ⁺¹:=L;Lⁱ, fori∈N.

We write|w|for the length ofw∈Σ^∞ and we denote the (i+ 1)st letter ofw byw(i), where we assume thati <|w|. For a wordw∈Σ^ω andi≥0, we define w^≥i:=w(i)w(i+ 1). . . andw^≤i :=w(0). . . w(i).

Stutter-Invariant Languages. Let us recall the definition of stutter invariance from [18]. Thestutter-removal operator :Σ^∞→Σ^∞ maps a wordv ∈Σ^∞to the word that is obtained fromv by replacing every maximal finite substring of identical letters by a single copy of the letter. For instance,(aabbbccc) =abc,

(aab(bbc)^ω) =a(bc)^ω, and(aabbbccc^ω) =abc^ω. A languageL⊆Σ^∞ isstutter- invariant ifu∈L⇔v∈L, for allu, v∈Σ^∞with(u) =(v). A wordw∈Σ^∞ isstutter free ifw=(w). ForL⊆Σ^∞, we defineL:={(w) : w∈L}.

Propositional Logic. For a set of propositions P, we denote the set ofBoolean formulas overPbyB(P), i.e.,B(P) consists of the formulas that are inductively built from the propositions inP and the connectives∧ and¬. ForM ⊆P and b ∈ B(P), we write M |= b iff b evaluates to true when assigning true to the propositions inM and false to the propositions inP\M.

Semi-extended Regular Expressions. The syntax ofsemi-extended regular expres- sions (SEREs) over the proposition setP is defined by the grammar

r::=ε b r^∗ r;r r:r r∪r r∩r ,

where b ∈ B(P). We point out that in addition to the concatentation opera- tor ;, SEREs have the operator : for expressing the fusion of two languages. The language of an SERE overP is inductively defined:

L(r) :=

⎧⎪

⎪⎪

⎨

⎪⎪

⎪⎩

{ε} ifr=ε,

{b∈2^P : b|=r} ifr∈ B(P), L(s) L(t) ifr=s t, L(s) ^∗ ifr=s^∗,

where∈ {;,:,∪,∩}. Thesize of an SERE is its syntactic length, i.e.,||ε||:= 1,

||b||:= 1, forb∈ B(P),||rs||:= 1+||r||+||s||, for∈ {∪,∩,;,:}, and||r^∗||:= 1+||r||.

Propositional Temporal Logic. The core of the linear-time fragment of PSL [1]

is as follows. Its syntax over the setP of propositions is given by the grammar ϕ::=p cl(r) ¬ϕ ϕ∧ϕ Xϕ ϕUϕ rϕ ,

where p∈ P and r is an SERE overP. A PSL formula¹ over P is interpreted over an infinite wordw∈(2^P)^ω as follows:

w|=p iffp∈w(0)

w|=cl(r) iff∃k≥0 :w^≤k ∈L(r) or∀k≥0 :∃v∈L(r) :w^≤k is a prefix ofv w|=ϕ∧ψ iffw|=ϕandw|=ψ

w|=¬ϕ iffw|=ϕ w|=Xϕ iffw^≥1|=ϕ

w|=ϕUψ iff∃k≥0 :w^≤k |=ψ and∀j < k:w^≥j |=ϕ w|=rϕiff∃k≥0 :w^≤k ∈L(r) andw^≥k |=ϕ

The language of a PSL formula ϕ is L(ϕ) := {w ∈ (2^P)^ω : w |= ϕ}. As for SEREs, we define thesizeof a PSL formula as its syntactic length. That means,

||p|| := 1, ||cl(r)|| := 1 +||r||, ||¬ϕ|| := ||Xϕ|| := 1 +||ϕ||, ||ϕ∧ψ|| := ||ϕUψ|| :=

1 +||ϕ||+||ψ||, and||rϕ||:= 1 +||r||+||ϕ||.

1 For the ease of exposition, we identify PSL with its linear-time core.

Syntactic Sugar. We use the standard conventions to omit parenthesis, e.g., tem- poral operators bind stronger than Boolean connectives and the binary operators of the SEREs are left associative. We also use standard syntactic sugar for the Boolean values, the Boolean connectives, and the linear-time temporal opera- tors:ff :=p∧ ¬p, for some propositionp∈P,tt:=¬ff,ϕ∨ψ:=¬(¬ϕ∧ ¬ψ), ϕ→ψ:=¬ϕ∨ψ,Fϕ:=tt Uϕ,Gϕ:=¬F¬ϕ, andϕWψ:= (ϕUψ)∨Gϕ, where ϕandψ are formulas. Moreover,rϕabbreviates¬(r¬ϕ).

3 Stutter-Invariant Regular Properties

In this section, we present syntactic characterizations for stutter-invariant reg- ular andω-regular languages. In Section 3.1, we define a variant of SEREs that can describe only stutter-invariant languages. Furthermore, we show that this variant of SEREs is complete in the sense that any stutter-invariant regular language can be described by such an expression. Similarly, in Section 3.2, we present a variant of PSL for expressing stutter-invariant ω-regular languages.

In Section 3.3, we give examples that illustrate the use of our stutter-invariant variant of PSL.

3.1 Stutter-Invariant SEREs

It is straightforward to see that stutter-invariant languages are not closed un- der the concatenation and the Kleene star. A perhaps surprising example is the SEREp⁺;q⁺over the proposition set{p, q}, which does not describe a stutter- invariant language, althoughL(p⁺) andL(q⁺) are stutter-invariant languages.² In our variant of SEREs, we restrict the use of concatenation and replace the Kleene star by an iteration operator, which uses the fusion instead of the con- catenation for gluing words together. Namely, for a languageLof finite words, we defineL^⊕:=

n∈NL_n, whereL₀:=L andL_i+1:=L_i:L, fori∈N.

The following lemma summarizes some closure properties of the class of stutter- invariant languages.

Lemma 1. Let K ⊆ Σ^∗ and L, L ⊆ Σ^∞ be stutter-invariant languages. The languages L∩L, L∪L, K:L, and K^⊕ are stutter-invariant. Furthermore, Σ^∗\K,Σ^ω\L, andΣ^∞\Lare stutter-invariant.

Proof. We only show that the language K :L is stutter-invariant. The other closure properties are similarly proved. Assume thatu∈K:Land(u) =(v) for u, v ∈ Σ^∞. Let u = ubu, for some u ∈ Σ^∗, u ∈ Σ^∞, and b ∈ Σ with ub∈Kandbu∈L. SinceKis stutter-invariant, we can assume without loss of generality that ifuis nonempty thenu(|u|−1)=b. Since(u) =(v), there are v ∈Σ^∗ andv ∈Σ^∞ such thatv=vbv, (v) =(u), and(bv) =(bu).

From the stutter invariance ofKandL, it follows thatv∈K:L.

Our variant of SEREs is defined as follows.

2 Note that the word{p, q} {p, q}belongs toL(p⁺;q⁺) but the word{p, q}does not.

Definition 1. The syntax of siSEREsover the proposition setP is given by the grammar

r::=ε b⁺ b^∗;r r;b^∗ r:r r∪r r∩r r^⊕,

where b ranges over the Boolean formulas in B(P). The language L(r) of an siSEREr is defined as expected.

By an induction over the structure of siSEREs, which uses the closure properties from Lemma 1, we easily obtain the following theorem.

Theorem 1. The language of every siSERE is stutter-invariant.

In the remainder of this subsection, we show that any regular language that is stutter-invariant can be described by an siSERE. We prove this result by defining a functionκthat maps SEREs to siSEREs. We show that it preserves the language if the given SERE describes a stutter-invariant language. The function κis defined recursively over the structure of SEREs:

κ(ε) :=ε κ(b) :=b⁺

κ(s∪t) :=κ(s)∪κ(t) κ(s∩t) :=κ(s)∩κ(t) κ(s:t) :=κ(s) :κ(t) κ(s;t) :=

κ(s) :

a∈2^P

ˆa⁺:

ˆa^∗;κ(t)) ∪

κ(t) ifε∈L(s) ff otherwise κ(s^∗) :=ε∪κ(s)∪

κ(s) :

a∈2^P

aˆ⁺: (ˆa^∗;κ(s)) ^⊕ , whereb∈ B(P),s, tare SEREs, and ˆa:=

p∈ap∧

p ∈a¬p, fora∈2^P. Lemma 2. For every SERE r, the equalityL(r) =L(κ(r))holds.

Proof. We show the lemma by induction over the structure of the SEREr. The base cases whererisεorbwithb∈ B(P) are obvious. The step cases whereris of one of the formss∪t,s∩t, ors:tfollow straightforwardly from the induction hypothesis.

Next, we prove the step case whereris of the forms;t. For showingL(r)⊆ L(κ(r)), assume that u∈L(r). There are words x∈ L(s) andy ∈L(t) such that u = (xy). By induction hypothesis, we have that (x) ∈ L(κ(s)) and (y) ∈ L(κ(t)). The case where x the empty word is obvious. Assume that x=εanda∈2^P is the last letter ofx. We have that(xy)∈L

(κ(s) : ˆa) ;κ(t) and

L

(κ(s) : ˆa) ;κ(t) ⊆L

(κ(s) : (ˆa;κ(t)) ⊆L

κ(s) : ((ˆa: ˆa) ;κ(t))

⊆L

κ(s) : (ˆa⁺: (ˆa^∗;κ(t))) .

For showingL(r)⊇L(κ(r)), assume thatu∈L(κ(r)). We make a case split.

1. If ε ∈ L(s) and u ∈ L(κ(t)) then u ∈ L(t) by induction hypothesis. We conclude thatu∈L(ε;t)⊆L(s;t) =L(r).

2. Assume thatu∈L(κ(s):

a∈2^P

aˆ⁺:(ˆa^∗;κ(t)) ). There is a lettera∈2^P such thatu∈L(κ(s) : (ˆa⁺: (ˆa^∗;κ(t)))) =L(κ(s) : (ˆa;κ(t))). It follows that there are wordsxandy such thatu=xay, xa∈L(κ(s)), anday ∈L(ˆa;κ(t)).

We have that eitheray∈L(κ(t)) ory ∈L(κ(t)). By induction hypothesis, we have that xa ∈L(s) and either ay ∈L(t) ory ∈L(t). It follows that u∈L(r).

Finally, we prove the step case whereris of the forms^∗. We first showL(r)⊆ L(κ(r)). Assume that u ∈ L(s^∗). If u is the empty word or u∈ L(s) then there is nothing to prove. Assume that u is of the formu₁u₂. . . u_n with u_i ∈ L(s) and u_i = ε, for all 1 ≤ i ≤ n. By induction hypothesis, we have that u_i∈L(κ(s)). Leta_ibe the last letter ofu_i, for each 1≤i < n, respectively. We have that(ai−1ui)∈ L(ˆa⁺_i−1: (ˆa^∗_i−1;κ(s))), for all 1< i ≤n. It follows that (u1a1u2. . . an−1an)∈ L(κ(s)) :L(ˆa⁺₁ : (ˆa^∗₂;κ(s))) :. . .:L(ˆa⁺_n−1: (ˆa^∗_n;κ(s))).

Since(u) =(u1a1u2. . . an−1an), we conclude that(u)∈L(κ(r)).

For showingL(r)⊇L(κ(r)), we assume thatu∈L(κ(r)). The casesu=ε and u ∈ L(κ(s)) are obvious. So, we assume that u ∈ L

κ(s) : _a∈2P(ˆa⁺: (ˆa^∗;κ(s))) ^⊕ =L

κ(s) : _a∈2P(ˆa;κ(s)) ^⊕ =L

s: _a∈2P(ˆa;s) ^⊕ , where the last equality holds by induction hypothesis. There is an integern ≥2 and words u1, u2, . . . , un ∈ L(s) and letters a1, a2, . . . , an−1 ∈ 2^P such that u = (u1a1u2. . . an−1un) and (ui) = (uiai), for all 1 ≤ i < n. It follows that

u=(u1u2. . . un)∈L(s^∗).

A consequence of Lemma 2 is that the translated siSERE describes the mini- mal stutter-invariant language that overapproximates the language of the given SERE.

Lemma 3. For every SERE r, L(r)⊆L(κ(r)) and ifK is a stutter-invariant language with L(r)⊆K thenL(κ(r))⊆K.

Proof. LetKbe a stutter-invariant language withL(r)⊆Kand letw∈L(κ(r)).

We have to show thatw∈ K. Since L(κ(r)) is stutter-invariant, we have that (w)∈L(κ(r)). With Lemma 2, we conclude that (w)∈L(r). It follows that there is a word u ∈ L(r) with (u) = (w). Since K ⊇ L(r), we have that (w)∈Kand thus,w∈KsinceK is stutter-invariant.

It remains to be proven that L(r) ⊆ L(κ(r)). For w ∈ L(r), we have that (w) ∈ L(r). By Lemma 2, we have that (w) ∈ L(κ(r)). Since L(κ(r)) is

stutter-invariant, we conclude thatw∈L(κ(r)).

From Lemma 3 we immediately obtain the following theorem.

Theorem 2. For every stutter-invariant regular languageL, there is an siSERE rsuch that L(r) =L.

Note that the intersection and the fusion operation is not needed for SEREs to describe the class of regular languages. However, they are convenient for express- ing regular languages naturally and concisely. It follows immediately from the

definition of the functionκthat siSEREs even without the intersection operation exactly capture the class of stutter-invariant regular languages. However, in con- trast to the intersection operator, the fusion operator is essential for describing this class of languages with siSEREs.

Finally, we remark that when translating an SERE of the form r;s or s^∗, we obtain an siSERE that contains a disjunction of all the letters in 2^P that contains 2^|P|copies of κ(s). We conclude that in the worst case, the size of the siSEREκ(r) for a given SEREris exponential in||r||. It remains open whether for every SERE that describes a stutter-invariant regular language, there is a language-equivalent siSERE of polynomial size.

3.2 Stutter-Invariant PSL

Similar to the previous subsection, we define a variant of the core of PSL and show that this temporal logic describes exactly the class of stutter-invariant ω-regular languages.

Definition 2. The syntax of siPSLformulas is similar to that of PSL formulas except that the formulas do not contain the temporal operator X and instead of SEREs they contain siSEREs. The semantics is defined as expected.

By a straightforward induction over the structure of siPSL formulas and by using the closure properties from Lemma 1, we obtain the following theorem. Note that L(rϕ) =L(r) :L(ϕ). Furthermore, it is easy to see that the languageL(cl(r)) is stutter-invariant ifris an SERE or siSERE that describes a stutter-invariant language.

Theorem 3. The language of every siPSL formula is stutter-invariant.

In the following, we show that every stutter-invariantω-regular language can be described by an siPSL formula. We do this by extending the translations in [17]

for eliminating the temporal operatorX in LTL formulas to PSL formulas. We define the functionτthat translates PSL formulas into siPSL formulas as follows.

It is defined recursively over the formula structure and it uses the functionκfrom Section 3.1 for translating SEREs into siSEREs.

τ(p) :=p τ(cl(r)) :=cl(κ(r))

τ(¬ϕ) :=¬τ(ϕ) τ(ϕ∧ψ) :=τ(ϕ)∧τ(ψ) τ(ϕUψ) :=τ(ϕ)Uτ(ψ) τ(rϕ) :=κ(r)τ(ϕ)

τ(Xϕ) :=

a∈2^P

Gˆa∧τ(ϕ) ∨

b∈2^P\{a}

aˆUˆb∧τ(ϕ)

The intuition of the elimination of the outermost operatorXin a formulaXϕis as follows: “the first time after now that some new event happens,ϕmust hold, or else, if nothing new ever happens,ϕmust hold right now.”

Note that the size of the resulting siPSL formula is in the worst case exponen- tial in the size of the given PSL formula. The sources of the blow-up are (1) the translation of the SEREs in the given PSL formula into siSEREs and (2) the elimination of the temporal operatorX. We can improve the translationτ with respect to the size of the resulting formula by using the translation defined in [10]

for eliminating the operatorX in LTL formulas that describe stutter-invariant languages. The translation in [10] avoids the conjunctions over the letters in 2^P. Instead the conjunctions only range over the propositions inP. The elimination of an operatorXis not exponential in|P|anymore. However, the resulting trans- lation for PSL into siPSL is still exponential in the worst case because of (1).

The question whether the exponential blow-up can be avoided remains open.

The following lemma forτ is the analog of Lemma 2 for the functionκ.

Lemma 4. For every PSL formula ϕ, the equality L(ϕ) =L(τ(ϕ))holds.

Similar to Lemma 3 for SEREs, we obtain that the functionτ translates PSL formulas into siPSL formulas that minimally overapproximate the described lan- guages with respect to stutter invariance.

Lemma 5. For every PSL formula ϕ, L(ϕ) ⊆ L(τ(ϕ)) and if L is a stutter- invariant language withL(ϕ)⊆Lthen L(τ(ϕ))⊆L.

From Lemma 5 we immediately obtain the following theorem.

Theorem 4. For every stutter-invariantω-regular languageL, there is an siPSL formulaϕsuch thatL(ϕ) =L.

We remark that the finite-state model-checking problem for PSL and siPSL fall into the same complexity classes. Namely, the finite-state model-checking problem for siPSL is EXPSPACE-complete and the problem becomes PSPACE- complete when the number of intersection operators in the given siPSL formulas is bounded. These complexity bounds can be easily established from the existing bounds on PSL, see [4] and [5, 14]. Note that the automata-theoretic realization of the iteration operator⊕is similar to the one that handles the Kleene-star.

Recently, we proposed an extension of PSL with past operators [7]. As for LTL_−X[17], we remark that our result on the stutter invariance of siPSL straight- forwardly carries over to an extension of siPSL with past operators.

3.3 siPSL Examples

In the following, we illustrate that stutter-invariantω-regular properties can be naturally expressed in siPSL. For comparison, we describe these properties in siPSL and other temporal logics that express stutter-invariant properties.

Star-Free Properties. Consider the following commonly used specification pat- terns taken from [8]:

(P1) Absence: pis false afterq untilr.

(P2) Existence: pbecomes true betweenqandr.

Table 1.siPSL formulas and LTL_−Xformulas of the specification patterns

pattern siPSL formula LTL_−X formula

P1 G(q⁺:¬r⁺¬p) G(q∧ ¬r→(¬p)Wr)

P2 G((q∧ ¬r)⁺: (¬p^∗;r⁺)ff) G(q∧ ¬r→(¬r)W(p∧ ¬r)) P3 G(q⁺:¬r⁺:¬p: (¬r^∗;r⁺)ff) G(q∧ ¬r∧Fr→pUr) P4 G(q⁺: (¬r∧ ¬s)⁺¬p) G(q∧ ¬r→(¬p)W(s∨r))

P5 G(q⁺:¬r⁺:p(¬r⁺:s⁺tt)) G(q∧ ¬r→(p→(¬r)U(s∧ ¬r))Wr)

(P3) Universality: pis true betweenqandr.

(P4) Precedence: sprecedesp, after quntilr.

(P5) Response: sresponds top, afterquntil r.

Table 1 contains the formalization of these specification patterns in siPSL and LTL_−X. Note that any LTL_−X is also an siPSL formula. However, since practi- tioners often find it easier to use (semi-extended) regular expressions than the temporal operators in LTL, we have used siSEREs in the siPSL formulas to for- malize the patterns in siPSL. An advantage of siPSL over LTL_−X is that one can choose between the two specifications styles and mix them.

Omega-regular Properties. We consider the stutter-invariantω-regular language Ln:={w∈(2^{p})^ω : the number of occurrences of the subword{p}∅inw

is divisible byn},

forn≥2. The following siPSL formula describes the languageL_n: neverswitch∨

((¬p ^∗;switch) :. . . : (¬p^∗;switch)

ntimes

)^⊕neverswitch ,

whereswitch:=p⁺: (p^∗;¬p⁺) andneverswitch:= (¬p)W Gp.

Note that the languageLn is not star-free and thus, it cannot be described in LTL_−X. In the following, we compare our siPSL formalization of Ln with a formalization in the temporal logic SI-EQLTL from [9], which has the same expressive power as siPSL. We briefly recall the syntax and semantics of SI- EQLTL. The formulas in SI-EQLTL are of the form∃^hq₁. . .∃^hq_nϕ, whereϕis an LTL_−X formula over a proposition set that contains the propositionsq₁, . . . , q_n. The semantics of the quantifier∃^his as follows. Let P be a proposition set with q∈P. The wordw∈(2^P∪{q})^ωis aharmonious extensionofv∈(2^P)^ωif for all i∈N, it holds thatv(i) =w(i)∩P and ifv(i) =v(i+ 1) then w(i) =w(i+ 1).

Forv ∈(2^P)^ω, we definev |=∃^hq ϕ iffw |=ϕ, for some harmonious extension w∈(2^P∪{q})^ω ofv.

For readability, we only state an SI-EQLTL formula that describes the lan- guageL2 (the formula can be straightforwardly generalized for describing the languageLn withn≥2):

∃^hq

q∧G(q→neverswitch∨switch2)∧F neverswitch , where

switch₂:= (¬p∧q)U

(p∧q)U

(¬p∧ ¬q)U

(p∧ ¬q)U(¬p∧q) . Intuitively, the subformula switch2 matches subwords that contain two occur- rences of{p}∅. Furthermore, the harmoniously existentially quantified proposi- tionqmarks every positionkof a word inL2, where the number of occurrences of{p}∅inw^≤k is even.

We remark that we did not manage to come up with a simpler SI-EQLTL for- mula for describing the languageLn.³ Nevertheless, we consider the SI-EQLTL formula forLn still hard to read because of the harmonious quantified variableq and the nesting of the temporal operators, which is linear inn. Furthermore, note that the advantage of siPSL over LTL_−X, namely, to mix different specification styles, is also an advantage of siPSL over SI-EQLTL.

4 Concluding Remarks

We have presented the specification languages siSEREs and siPSL, which cap- ture exactly the classes of stutter-invariant regular and ω-regular languages, respectively. siSEREs are a variants of SEREs and siPSL is a variant of the tem- poral logic PSL [1], which is nowadays widely used in industry. siPSL inherits the following pleasant features from PSL. First, siPSL is easy to use. Second, the computational complexities for solving the finite-state model-checking problem with siPSL and fragments thereof are similar to the corresponding problems for PSL. Third, with only minor modifications we can use the existing tool support for PSL (like the model checker RuleBase [3], the formula translator into non- deterministic B¨uchi automatartl2ba[7], or the translator used in [6] with all its optimizations) for siPSL. We only need to provide additional support for the new Kleene-star-like iteration operator⊕of the siSEREs.

References

1. IEEE standard for property specification language (PSL). IEEE Std 1850TM (October 2005)

2. Alur, R., Brayton, R.K., Henzinger, T.A., Qadeer, S., Rajamani, S.K.: Partial-order reduction in symbolic state-space exploration. Form. Method. Syst. Des. 18(2), 97–116 (2001)

3. Beer, I., Ben-David, S., Eisner, C., Geist, D., Gluhovsky, L., Heyman, T., Landver, A., Paanah, P., Rodeh, Y., Ronin, G., Wolfsthal, Y.: RuleBase: Model checking at IBM. In: Marie, R., Plateau, B., Calzarossa, M.C., Rubino, G.J. (eds.) TOOLS 1997. LNCS, vol. 1245, pp. 480–483. Springer, Heidelberg (1997)

3 We encourage the reader to find a simpler SI-EQLTL formula that describesLn.

4. Ben-David, S., Bloem, R., Fisman, D., Griesmayer, A., Pill, I., Ruah, S.: Automata construction algorithms optimized for PSL. Technical report, The Prosyd Project (2005),http://www.prosyd.org

5. Bustan, D., Havlicek, J.: Some complexity results for SystemVerilog assertions. In:

Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 205–218. Springer, Heidelberg (2006)

6. Cimatti, A., Roveri, M., Tonetta, S.: Symbolic compilation of PSL. IEEE Trans.

on CAD of Integrated Circuits and Systems 27(10), 1737–1750 (2008)

7. Dax, C., Klaedtke, F., Lange, M.: On regular temporal logics with past. In:

Proceedings of the 36th International Colloquium on Automata, Languages, and Programming, ICALP (to appear, 2009)

8. Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property speci- fications for finite-state verification. In: Proceedings of the 21st Interna- tional Conference on Software Engineering (ICSE), pp. 411–420 (1999), http://patterns.projects.cis.ksu.edu/

9. Etessami, K.: Stutter-invariant languages, ω-automata, and temporal logic. In:

Halbwachs, N., Peled, D.A. (eds.) CAV 1999. LNCS, vol. 1633, pp. 236–248.

Springer, Heidelberg (1999)

10. Etessami, K.: A note on a question of Peled and Wilke regarding stutter-invariant LTL. Inform. Process. Lett. 75(6), 261–263 (2000)

11. Godefroid, P., Wolper, P.: A partial approach to model checking. Inf. Com- put. 110(2), 305–326 (1994)

12. Holzmann, G., Kupferman, O.: Not checking for closure under stuttering. In: Pro- ceedings of the 2nd International Workshop on the SPIN Verification System. Series in Discrete Mathematics and Theoretical Computer Science, vol. 32, pp. 163–169 (1996)

13. Lamport, L.: What good is temporal logic? In: Proceedings of the 9th IFIP World Computer Congress. Information Processing, vol. 83, pp. 657–668 (1983)

14. Lange, M.: Linear time logics around PSL: Complexity, expressiveness, and a little bit of succinctness. In: Caires, L., Vasconcelos, V.T. (eds.) CONCUR 2007. LNCS, vol. 4703, pp. 90–104. Springer, Heidelberg (2007)

15. Peled, D.: Combining partial order reductions with on-the-fly model-checking.

Form. Method. Syst. Des. 8(1), 39–64 (1996)

16. Peled, D.: Ten years of partial order reduction. In: Y. Vardi, M. (ed.) CAV 1998.

LNCS, vol. 1427, pp. 17–28. Springer, Heidelberg (1998)

17. Peled, D., Wilke, T.: Stutter-invariant temporal properties are expressible without the next operator. Inform. Process. Lett. 63(5), 243–246 (1997)

18. Peled, D., Wilke, T., Wolper, P.: An algorithmic approach for checking closure properties of temporal logic specifications andω-regular languages. Theoret. Com- put. Sci. 195(2), 183–203 (1998)

19. Rabinovich, A.M.: Expressive completeness of temporal logic of action. In: Brim, L., Gruska, J., Zlatuˇska, J. (eds.) MFCS 1998. LNCS, vol. 1450, pp. 229–238.

Springer, Heidelberg (1998)

20. Valmari, A.: A stubborn attack on state explosion. Form. Method. Syst. Des. 1(4), 297–322 (1992)

21. Vardi, M.Y.: From philosophical to industrial logics. In: Ramanujam, R., Sarukkai, S. (eds.) Logic and Its Applications. LNCS, vol. 5378, pp. 89–115. Springer, Heidelberg (2009)